CVE-2016-0757: Improper Access Control
(updated )
An authorization vulnerability in OpenStack Image service was discovered, which allowed image-status manipulation using locations. By removing the last location of an image, an authenticated user could change the status from ‘active’ to ‘queue’. A malicious tenant could exploit this flaw to silently replace owned image data, regardless of its original creator or visibility settings. Only environments with show_multiple_locations set to true (not default) were affected.
References
- rhn.redhat.com/errata/RHSA-2016-0309.html
- access.redhat.com/errata/RHSA-2016:0309
- access.redhat.com/errata/RHSA-2016:0352
- access.redhat.com/errata/RHSA-2016:0354
- access.redhat.com/errata/RHSA-2016:0358
- access.redhat.com/security/cve/CVE-2016-0757
- bugzilla.redhat.com/show_bug.cgi?id=1302607
- github.com/advisories/GHSA-5xrj-ghhp-hx7p
- nvd.nist.gov/vuln/detail/CVE-2016-0757
- security.openstack.org/ossa/OSSA-2016-006.html
- web.archive.org/web/20210123081823/https://www.securityfocus.com/bid/82696/
Detect and mitigate CVE-2016-0757 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →